PRTG Alerts with Autotask CI Association
This tutorial walks through building a workflow that processes alert emails from PRTG Network Monitor, looks up the matching Configuration Item (CI) in Autotask by a device identifier, and creates a ticket on that CI's account. If no matching CI is found, a catch-all ticket is created on the zero account so the alert is never lost.
Overview
PRTG sends alert emails that include a device identifier (such as a probe ID, sensor name, or hostname). The workflow uses the Create Autotask Ticket by Configuration Item action to extract the identifier, match it to a CI in Autotask, and create a ticket in one step. A fallback rule handles alerts that cannot be matched.
Related pages:
- Create Autotask Ticket by Configuration Item
- Monitoring Alerts Tutorial (shows the same pattern using raw API calls instead)
- Core Concepts
Before You Start
- Create a dedicated mailbox for PRTG alerts (for example,
[email protected]) - Configure PRTG to send alert notifications to this address
- Send a few test alerts through so they appear in History, then open them to see the exact email format PRTG produces
- Identify the device identifier in the email body (for example,
Probe ID:,Sensor:, orDevice:followed by a value) - Confirm which field on the Autotask CI stores the matching value (Serial Number, Reference Title, or a User-Defined Field)
Step 1: Create the Rule
- Open your PRTG alerts mailbox and click Add New Rule
- Name it
Process PRTG Alert - Leave the Expression empty so every email is processed by this rule
Step 2: Add the "Create Ticket by CI" Action
This action handles identifier extraction, CI lookup, and ticket creation in one step.
- Click Add New Action, select Create Autotask Ticket by Configuration Item, click OK
- Name the step
Create Ticket for PRTG Alert
Configuration - Identifier Extraction:
| Field | Value |
|---|---|
| Identifier Source | Unlock the field, then enter: {{after_string email.body "Probe ID: " flags="tn"}} |
| If identifier not found | Skip this action |
The after_string helper looks for Probe ID: in the email body, captures everything after it up to the next newline (n flag), and trims whitespace (t flag). Adjust the label to match whatever your PRTG emails use (for example, Device: or Sensor: ).
Configuration - CI Matching:
| Field | Value |
|---|---|
| CI field to match | Select the Autotask CI field that stores the same value PRTG includes in the email (for example, Serial Number, Reference Title, or a UDF) |
| If no CI found | Skip this action |
Configuration - Ticket Fields:
Populate each required field (fields marked with an asterisk in the UI are required). At minimum:
| Field | Value |
|---|---|
| Status | New |
| Priority | Set as appropriate for alert severity |
| Queue | Your monitoring alerts queue |
| Title | {{email.subject}} |
| Description | {{email.body}} |
Action When Complete: Set to Stop processing this message completely
This tutorial uses the Create Autotask Ticket by Configuration Item workflow action, which handles extraction, CI lookup, and ticket creation in one step. The Monitoring Alerts Tutorial shows how to build the same pattern using individual API call actions chained together, which gives you more control over each step. Choose whichever approach fits your needs.
Step 3: Add a Catch-All Ticket
If the CI action is skipped (identifier not found or no matching CI), a fallback action creates a generic ticket so the alert is not lost.
- Click Add New Action, select API: Create an Object, click OK
- Name the step
Create Catch-All Ticket - Set Entity Type to
Ticket - Configure the required fields:
| Field | Value |
|---|---|
| AccountID | Your zero account (unlock the field and enter 0) |
| Status | New |
| Priority | Medium |
| Title | Unmatched PRTG alert: {{email.subject}} |
| Description | {{email.body}} |
| QueueID | Your monitoring alerts queue |
Step 4: Add a Final Stop
- Click Add New Action, select Stop Processing This Message Completely, click OK
- Name it
Stop
Rule Summary
The final rule has three actions:
- Create Ticket for PRTG Alert (CI action): if the identifier is extracted and the CI is found, creates a ticket on the CI's account and stops the message
- Create Catch-All Ticket (API create): only runs if action 1 was skipped; creates a ticket on the zero account
- Stop: stops the message so no further rules fire
Test the Workflow
- Replay a PRTG alert email from History (or send a new one)
- Open the processing log and verify:
- The identifier was extracted correctly
- The CI was found in Autotask (or not, for the catch-all path)
- A ticket was created on the correct account
- Open the ticket in Autotask and confirm the CI is associated
To test the catch-all path, send an email with a device identifier that does not exist in Autotask. Verify the catch-all ticket is created on the zero account.
Key Takeaways
- One mailbox per monitoring tool: keep PRTG rules isolated from other workflows
- Send sample emails first: open them in History to see exactly how Email2AT parsed the email before building extraction logic
- Always include a catch-all: if the CI action skips, a fallback ticket ensures no alert is lost
- Choose the right CI field: the field must store the same value that PRTG includes in the alert email
- Two valid approaches: the CI workflow action handles everything in one step; raw API calls give more control (see Monitoring Alerts Tutorial)
Related Documentation
- Create Autotask Ticket by Configuration Item: full configuration reference
- Monitoring Alerts Tutorial: the same pattern built with individual API call actions
- UniFi Online/Offline Tutorial: another real-world alert workflow
- Core Concepts: how rules, actions, and variables work together
- The Zero Account: when to use it as a fallback